-------------------------------------------------------------------------- -=Introduction to virii=- By |Goliard| #1 Introduction to the "Introduction to virii" #2 Index to and descriptions of included files (Non viral) #3 Analysis of included virii... (F-prot pro 3.0) (For the truly new to computing.... ASM files are assembly) (source files for the executables. They can be viewed with) (any text viewer. And the .00* files are text files also..) (the .00* are indexed in section #2. Use any text viewer..) -------------------------------------------------------------------------- #1 Introduction to the "Introduction to virii" Yeah this is the intro... Included are some live virii and thier cooresponding source codes, some informational text files, and some other goodies. It is intended for those who are curious about virii and who are spit on and called laymurs (even thogh its true ) by those who spend alot of time learning to code the things and do not want to deal with any bunglers. Though this may raise more questions than answers... it is a "First step into a larger world." I would ask that this NOT be distributed freely, but only to those who hold a genuine interest in virii.... some of the codes ARE indeed distructive and not intended to be used for anything other than 'educational purposes.' I of course am not not responsible for any damages as SMITH & WESSON is not responsible for murders with handguns. And again, damage would be avoided if this bundle is only distributed to those who seek information... not distruction. -------------------------------------------------------------------------- #2 Index to and descriptions of included files I2V.001 - GLOSSARY of virus related terms. I2V.002 - "The safe way to experement with viruses." (40hex P/S) I2V.003 - "Virus recovery 1.1" (Michael S. Arant) I2V.004 - A good general overview of... uh... virii. (Dr. Solomon) I2V.005 - A somewhat opinionated anti virus paper by the NCSA. (National Computer Security Agency) Okay reading though. I2V-1.zip - Information on virus writers, groups, and thier run-ins with the law. Compiled from : (40hex/Crypt/IR) I2V-2.zip - Viruses reported in the wild. -------------------------------------------------------------------------- #3 Analysis of included virii... (F-prot pro 3.0) The files included also have their corresponding source codes. I compiled them myself so the sources included are the very same that the avtive virii were compiled from. (I did not debug and the EXE files may not work correctly, the COMs however I am confident will work as intended.) The first line is F-prots detection of theese virii. Following is the analysis and descriptions of them. -------------------------------------------------------------------------- COFFSHOP.EXE Seems to be a Coffeeshop-dropper Variant: Girafe Type: Resident COM/EXE-files Alias: Coffeeshop Girafe was the first virus to use TPE-encryption in its code. It infects COM and EXE files. On thursdays it shows a picture from Cannabis magazine and a text "Legalize Cannabis". Infected files are 2000-4000 bytes longer than original files. The next text can be found inside Girafe in a crypted form: COSCCLVSNEHTTBVIFIGIRAFEMTBRIM [ MK / Trident ] Amsterdam = COFFEESHOP! -------------------------------------------------------------------------- AMBULANC.COM Infection: Ambulance.796.D Name: Ambulance Size: 796 Type: Resident COM-files As the name indicates, the ambulance virus displays a moving ambulance on the screen, with the sound of a siren accompanying it. Many variants are known. -------------------------------------------------------------------------- CASINO.COM Infection: Casino.2330.B Name: Casino Size: 2330 Type: Resident COM-files This virus is highly destructive, and may trash the FAT. Before doing so, however, it will offer the user to play a game - if he wins, the virus will leave the FAT unchanged. -------------------------------------------------------------------------- VIENNA.COM Infection: Vienna.645.D Name: Vienna Size: 648 Type: Non-resident COM-files When an infected file is run, Vienna will search for an uninfected file and infect it. One out of eight files infected is destroyed, by overwriting the first few bytes with instructions that will cause a restart when the program is run. Infected files can be easily found because they contain an "impossible" value (62) in the "seconds" field of the time stamp. Unfortunately the source code to this virus has been published in a book: "Computer viruses: A High-Tech Disease", which has resulted in multiple variants of the virus. This version was modified slightly, in order to make it a little less harmful - it would only infect files in the current directory, but this has been "fixed" in some of the variants. -------------------------------------------------------------------------- D-AVENG.EXE Infection: New or modified variant of Dark_Avenger Name: Dark Avenger Size: 1800 Type: Resident COM/EXE-files This virus contains two interesting text strings: "Eddie lives...somewhere in time" "This program was written in the city of Sofia (C) 1988-89 Dark Avenger" The "Eddie" mentioned above is probably the skeleton mascot of the heavy metal band "Iron Maiden". This was the first virus reported to have originated in Bulgaria, but it was soon followed by many other. There is only one thing unusual about this virus. It remains resident, just as many other viruses, but it will not only infect a program when it is run, but also when the program file is read. This means that a harmless program that opened each .EXE and .COM file in turn, for example to check them for infection, could easily cause an "epidemic". The virus will infect .EXE and .COM files, adding 1800 bytes to the length. COMMAND.COM will be one of the first programs to become infected. When an infected program is run, there is a 1-in-16 chance that the virus will trash a random disk sector. -------------------------------------------------------------------------- MICHAEL.EXE Seems to be a Stoned-dropper Name: Michelangelo Type: Resident Boot MBR This Stoned variant will activate on the birthday of Michelangelo Bounnaroti, who was born on March 6. 1475. It will then overwrite most of the hard disk . Structurally it is similar to the 'Stoned' virus, but it will infect non-360 K diskettes correctly. It is not an easy task task to recover from the activation of Michelangelo. The virus overwrites the first 17 sectors on head s 0-3 on the first 256 tracks of the disk the machine has been booted from. -------------------------------------------------------------------------- GOLD-BUG.COM Infection: GoldBug (?) Name: Goldbug Size: 1024 Type: MBR Companion Resident Goldbug is a complex virus. It managed to slip into international circulation in summer 1994. Goldbug was, apparently on purpose, attached to a pirated beta version of the game DOOM II. This was circulated in BBSs worldwide. Goldbug infects the main boot records of hard disks and diskette boot sectors It also spreads by using the companion virus technique and contains retrovirus features. Goldbug uses an astonishing variety of tricks to make detection and surveillance difficult. When a file infected by Goldbug is executed, the virus copies its own code to the hard disk's main boot record. If the computer has available HMA memory, the virus goes resident in memory. If the computer in question is not at least a 286, the virus does not do anything. The same thing happens if the system does not use HMA memory. When the virus infects the hard disk, it overwrites the partition information in the main boot record. Due to Goldbug 's stealth capabilities, this cannot be seen as long as the virus is resident in memory. However, if the computer is booted from a clean diskette, the system cannot find the hard disk. The effect is similar to that caused by, for example, the Monkey virus, and prevents the virus from being removed with the FDISK /MBR command. The virus goes resident to memory the next time the computer is started, storing its own code in color video memory. At this stage, Goldbug restores the original main boot record. The virus cannot keep its code in color video memory indefinitely, because that would prevent graphical programs from functioning. However, at this stage it cannot move it s code to HMA memory either, since the system's memory management programs have not been loaded from CONFIG.SYS yet. The virus hooks the video interrupt 10h and waits for HMA to become available. If HMA memory is not installed, the virus removes itself from memory once the computer switches to graphical mode. Otherwise the virus copies its code on top of HMA memory as soon as it gets the chance. Once in HMA, the virus writes its own code back to the main boot record. Goldbug infects the boot sectors 1.2 MB diskettes like a normal boot sector virus. All non-write protected diskettes used in a Goldbug- infected computer are infected. In addition to the diskette boot sector, Goldbug uses two sectors on the diskette to store its code _ however, unlike most other boot sector viruses, Goldbug checks that these sectors are empty before infecting the diskette. Goldbug uses quite an unusual method for infecting diskettes. If a computer is booted from an infected diskette, the virus stays resident in video memory until it gains access to HMA memory. When HMA memory becomes available, the virus infects the hard disk. At the same time, it removes its own code from the diskette, and won't infect it again while it stays in the drive. This makes it difficult to trace an infection's source, because the diskette the virus originally arrived on may not be infected any longer. When the virus is active, it infects executed EXE programs. When such a program is executed, the virus creates a companion file for it in the same directory and removes the original file's file extension. For example, a file called PROGRAM.EXE will be renamed PROGRAM. The companion file is then given the name of the original file. The virus takes care to create a companion file with the same size, creation date and attributes as in the original file. The original file is given the system attribute, so that it cannot be seen in a directory listing. The virus does not create companion files on diskettes. However, it will infect files over a network, as long as the user has the right to create and rename files in the network. Goldbug employs a variable encryption routine. The virus can use 512 different decryption routines, each of which it can modify in 128 different ways. Nevertheless, the viruse's encryption technique cannot be called truly polymorphic. The viruse's encryption routines are protected, which makes it difficult to decrypt the virus for analysis. Goldbug is a stealth virus. When the main boot record of an infected hard disk or the boot sector of an infected diskette is examined, the virus shows the user a copy of the original object. When an infected EXE file is executed, the virus reroutes the operation to the original file. If some program tries to delete a companion file the virus has created, the virus causes the original file to be deleted instead. Most of the viruses which hijack the interrupt int 13h are easily caught if the computer is running Windows 3.1 with the 32-bit disk access on. In such a case, Windows reports an error situation during startup if the virus has changed the disk interrupt address. Goldbug bypasses this problem by letting go of the interrupt 13 when Windows is started. The virus also restores the main boot record back to its original place. When Windows terminates, the virus infects the main boot record again. Goldbug has extensive retrovirus capabilities. It is able to install itself despite the presence of programs like VSAFE.COM or DISKMON.EXE, by tunneling past them. If Goldbug is resident in memory, it prevents the execution of EXE programs whose names have the letter 'A' as their second to last character, and some letter between 'N' and 'Z' as their last character. GoldBug does this in order to detect a number of anti-virus programs and to prevent them from being executed. The method is effective with, for example, the programs SCAN, CLEAN, NETSCAN, CPAV, NAV and TBAV. Some innocent programs like MAX.EXE and TERMINAT.EXE are stopped as well. GoldBug also deletes the computer's CMOS information every time the user tries to run any of these programs. When the virus spreads to a directory, it deletes all CHKLIST files the directory may contain, thus bypassing CPAV's and MSAV's checksum protection. Goldbug checks whether the system contains a modem. If the modem receives a call, the virus causes the modem to wait for the seventh ring and answering. This is the only activation routine the virus contains. -------------------------------------=EOF=--------------------------------